diff options
| author |   Frank de Brabander <debrabander@gmail.com> | 2022-10-18 18:37:51 +0200 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-10-25 13:42:00 +0100 |
| commit | e5f6652854f544106b40d860de2946954de642f3 (patch) | |
| tree | 48af32549f677daa77eccf6b3c6fdd572b16b4e2 /meta/recipes-core | |
| parent | 15715e6ad81c97cd50e288f3745615eb19be90d1 (diff) | |
| download | openembedded-core-contrib-e5f6652854f544106b40d860de2946954de642f3.tar.gz | |
cve-update-db-native: add timeout to urlopen() calls
The urlopen() call can block indefinitely under some circumstances.
This can result in the bitbake process to run endlessly because of
the 'do_fetch' task of cve-update-bb-native to remain active.
This adds a default timeout of 60 seconds to avoid this hang, while
being large enough to minimize the risk of unwanted timeouts.
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
| -rw-r--r-- | meta/recipes-core/meta/cve-update-db-native.bb | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 944243fce9..9b9dbbd75f 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -18,6 +18,9 @@ NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" # Use a negative value to skip the update CVE_DB_UPDATE_INTERVAL ?= "86400" +# Timeout for blocking socket operations, such as the connection attempt. +CVE_SOCKET_TIMEOUT ?= "60" + python () { if not bb.data.inherits_class("cve-check", d): raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") @@ -39,6 +42,8 @@ python do_fetch() { db_file = d.getVar("CVE_CHECK_DB_FILE") db_dir = os.path.dirname(db_file) + cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) + if os.path.exists("{0}-journal".format(db_file)): # If a journal is present the last update might have been interrupted. In that case, # just wipe any leftovers and force the DB to be recreated. @@ -79,7 +84,7 @@ python do_fetch() { # Retrieve meta last modified date try: - response = urllib.request.urlopen(meta_url) + response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout) except urllib.error.URLError as e: cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') bb.warn("Failed to fetch CVE data (%s)" % e.reason) @@ -107,7 +112,7 @@ python do_fetch() { # Update db with current year json file try: - response = urllib.request.urlopen(json_url) + response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout) if response: update_db(conn, gzip.decompress(response.read()).decode('utf-8')) conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() |